The script generates a different message when there are zero days remaining (password is expired and must be changed today) and won't continue to notify users when there are less than zero days remaining. Negitive dedlines are used for some account options such as the passwords must be changed at next logon account flag, and you don't want to fill up a user's mailbox when they can't access their mail before changing their password anyway.
To setup the script, search for the "# CONFIG:" strings and edit the following line as documented, then set it up on a server as a daily scheduled task.
Active Directory Password Expiration Email Notification Script
Import-Module ActiveDirectory
$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"
(Get-ADUser -filter {(mail -like "*@domain.com") -and (Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet |
foreach-object {
$lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
$expires=$lastset.AddDays($maxdays).ToShortDateString()
$daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
$samname=$_.samaccountname
$firstname=$_.GivenName
if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
#if ($daystoexpire -le 14) {
$ThereAreExpiring=$true
# CONFIG: Enter from email address.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
$emailTo = "$samname@domain.com"
if ($daystoexpire -eq 0) {
# CONFIG: Enter text for subject and body of email notification for zero days remaining.
$subject = "$firstname, your password has expried!"
$body = "$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.
Contact support at extension XXXX for assistance."
}
Else {
# CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining.
$subject = "$firstname, your password expires in $daystoexpire day(s)!"
$body = "$firstname,
Your password expires in $daystoexpire day(s).
If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.
If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.
"
}
# CONFIG: Enter your smtp server here.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
elseif ($daystoexpire -lt 0) {
$ThereAreExpiring=$true
# Add a note to the report email, but don't notify user.
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
}
if ($ThereAreExpiring) {
# CONFIG: From address for report to Helpdesk/IT Admin staff.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
$emailTo = "helpdesk@domain.com"
# CONFIG: Subject for report email.
$subject = "Expiring passwords"
$body = $summarybody
# CONFIG: SMTP Server.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
}
$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"
(Get-ADUser -filter {(mail -like "*@domain.com") -and (Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet |
foreach-object {
$lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
$expires=$lastset.AddDays($maxdays).ToShortDateString()
$daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
$samname=$_.samaccountname
$firstname=$_.GivenName
if (($daystoexpire -eq 14) -or ($daystoexpire -eq 7) -or ($daystoexpire -eq 3) -or ($daystoexpire -eq 1) -or ($daystoexpire -eq 0)) {
#if ($daystoexpire -le 14) {
$ThereAreExpiring=$true
# CONFIG: Enter from email address.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Replace domain domain.com with your email domain. Do not change $samname.
$emailTo = "$samname@domain.com"
if ($daystoexpire -eq 0) {
# CONFIG: Enter text for subject and body of email notification for zero days remaining.
$subject = "$firstname, your password has expried!"
$body = "$firstname,
Your password has expired and you must change it immediately. No further email notifications will be sent.
Contact support at extension XXXX for assistance."
}
Else {
# CONFIG: Enter text for subject and body of email notification for 14, 7, 3, and 1 days remaining.
$subject = "$firstname, your password expires in $daystoexpire day(s)!"
$body = "$firstname,
Your password expires in $daystoexpire day(s).
If you are using a Windows computer, press Ctrl + Alt + Del the click Change password.
If you are using a Mac computer follow the instructions at http://sharepoint/Documentation to change your password.
"
}
# CONFIG: Enter your smtp server here.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
elseif ($daystoexpire -lt 0) {
$ThereAreExpiring=$true
# Add a note to the report email, but don't notify user.
$summarybody += "$samname `t $expires `t $daystoexpire `n"
}
}
if ($ThereAreExpiring) {
# CONFIG: From address for report to Helpdesk/IT Admin staff.
$emailFrom = "helpdesk@domain.com"
# CONFIG: Address to send report email to (for Helpdesk/IT Admin staff.
$emailTo = "helpdesk@domain.com"
# CONFIG: Subject for report email.
$subject = "Expiring passwords"
$body = $summarybody
# CONFIG: SMTP Server.
$smtpServer = "email.domain.com"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
}
10 comments:
Great PS Script!!! I had no trouble implementing it, but How would I add an attachment to this script. I want to send out a PDF with this email message.
Thanks!!
I'm still a PowerShell novice myself. This looks promising: http://www.techrepublic.com/blog/window-on-windows/send-an-email-with-an-attachment-using-powershell/4969
Nice, but can the admin report be changed to a html format? This was the email report is easier to read in columns etc?
A sort of formatting can be obtained like this:
$formatString="|{0,-40}|{1,-25}|{2,-19}|{3,11}|{4,9}|
$summarybody+=$formatString -f "Display Name", "Account", "Last Set", "Expire Date", "Days Left"
Details here: https://devcentral.f5.com/blogs/us/powershell-abcs-f-is-for-format-operator
and here:
http://ofps.oreilly.com/titles/9781449320683/strings_and_unstructured_text.html
What version of Powershell is this? What is the command to leave out users with "must change password at next logon checked"? Also how long should this take to run with about 250 users?
Open a powershell and import the active directory module:
import-module ActiveDirectory
To see all attributes that you can use try:
get-aduser -identity -Properties *
Its really a nice powershell script. For those who want to use a nice GUI tool for this, you can use JiJi Password & Account Expiration Notification Tool. You can find the detail here www.jijitechnologies.com/jiji-password-expiration-notification.aspx
Hi,
Sorry English is my third language... Sorry for the following mess...
Here is my 3 questions
1. Do I need to change de @domain.com form my domain name in this row (Get-ADUser -filter {(mail -like "*@domain.com")
2. On wich server I need to server I need to run this script.
and finaly
3. How can I revert this script
Regard's
Jack
Please let me know
Regard's
Excellent, it helps to get notification for expiring password reminders emailed to users but I found this automate tool (http://www.lepide.com/user-password-expiration-reminder/) which automatically reminds users to change their passwords before the expire passwords.
Post a Comment